Advertisement






FreeBSD/Apple libc link_ntoa() buffer overflow

CVE Category Price Severity
CVE-2015-2915 CWE-119 $30,000 High
Author Risk Exploitation Type Date
Unknown High Local 2016-12-07
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.978 0.978

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016120046

Below is a copy:

FreeBSD/Apple libc link_ntoa() buffer overflowImproper bounds checking of the obuf variable in the link_ntoa() function in linkaddr.c may allow an attacker to read or write from memory.

The routine link_addr() interprets character strings representing link-level addresses, returning binary information suitable for use in system calls.  The routine link_ntoa() takes a link-level address and returns an ASCII string representing some of the information present, including the link level address itself, and the interface name or number, if present. This facility is experimental and is still subject to change.

For link_addr(), the string addr may contain an optional network interface identifier of the form ``name unit-number'', suitable for the first argument to ifconfig(8), followed in all cases by a colon and an interface address in the form of groups of hexadecimal digits separated by periods.  Each group represents a byte of address; address bytes are filled left to right from low order bytes through high order bytes.

Thus le0:8.0.9.13.d.30 represents an ethernet address to be transmitted on the first Lance ethernet interface.

If the sdl_len field of the link socket address sdl is 0, link_ntoa() will not insert a colon before the interface address bytes.  If this translated address is given to link_addr() without inserting an initial colon, the latter will not interpret it correctly.


PATCH:
+++ lib/libc/net/linkaddr.c
@@ -35,6 +35,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <net/if.h>
 #include <net/if_dl.h>
 #include <string.h>
 
@@ -122,31 +123,47 @@
 link_ntoa(const struct sockaddr_dl *sdl)
 {
 static char obuf[64];
-char *out = obuf;
-int i;
-u_char *in = (u_char *)LLADDR(sdl);
-u_char *inlim = in + sdl->sdl_alen;
-int firsttime = 1;
+_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
+char *out;
+const char *in, *inlim;
+int namelen, i, rem;
 
-if (sdl->sdl_nlen) {
-bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen);
-out += sdl->sdl_nlen;
-if (sdl->sdl_alen)
+namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
+
+out = obuf;
+rem = sizeof(obuf);
+if (namelen > 0) {
+bcopy(sdl->sdl_data, out, namelen);
+out += namelen;
+rem -= namelen;
+if (sdl->sdl_alen > 0) {
 *out++ = ':';
+rem--;
+}
 }
-while (in < inlim) {
-if (firsttime)
-firsttime = 0;
-else
+
+in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+inlim = in + sdl->sdl_alen;
+
+while (in < inlim && rem > 1) {
+if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
 *out++ = '.';
+rem--;
+}
 i = *in++;
 if (i > 0xf) {
-out[1] = hexlist[i & 0xf];
+if (rem < 3)
+break;
+*out++ = hexlist[i & 0xf];
 i >>= 4;
-out[0] = hexlist[i];
-out += 2;
-} else
 *out++ = hexlist[i];
+rem -= 2;
+} else {
+if (rem < 2)
+break;
+*out++ = hexlist[i];
+rem++;
+}
 }
 *out = 0;
 return (obuf);



Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum